LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

121

122

123

124

125

126

127

128

129

130

1. Plan your installation (see Section 3.4.3 (page 129)).

2. Install LDAP-UX Client Services on each client system (see Section 3.4.4 (page 134)).

3. Install and configure the Active Directory, if not already done (see Section 3.4.5 (page 135)).

4. Install the PAM Kerberos product (see Section 3.4.6.1 (page 139))

5. Run the setup program to configure LDAP-UX Client Services on a client system (see

Section 3.4.6.2 (page 139)). The setup program does the following for you:

• Extends your Active Directory schema with the configuration profile schema, if not already

done.

NOTE: To use a local-only profile, run the setup program using the -l option . Use

the local-only profile for small deployments, testing purposes, and for environments where

administrators lack server administrative privileges.

• Creates a startup file on the client. This enables each client to download the configuration

profile.

• Creates a configuration profile of directory access information in the directory, to be

shared by a group of (or possibly all) clients.

If the ADS multiple domains feature has been selected, the setup program will also

create the remote domains profiles, GCS profile, or both.

• Downloads the configuration profile from the directory to the client.

• Starts the product daemon, ldapclientd, if you choose to start it.

6. Configure the LDAP name service (see Section 3.4.6.4 (page 150))(see Section 3.4.6.3

(page 149)).

7. Configure PAM Kerberos (see Section 3.4.2 (page 128)).

8. Optionally, configure the PAM Authorization Service Module (PAM_AUTHZ) to control access

rules defined in a policy file (this is a step that can be performed while configuring LDAP-UX

Client Services (see Section 3.4.6.5 (page 150)); for more information about configuring this

service, see Section 7.4 (page 199)).

9. Optionally, configure the disable login flag (disable_uid_range) to disallow specific users

to log in to the local system (see Section 3.4.6.6 (page 151)).

10. If you attempt to enable SSL or TLS support with LDAP-UX, configure your LDAP server to

support SSL or TLS (see Section 3.4.7 (page 151)).

11. Migrate your supported name service data to the directory. Refer to Section 3.5.1 (page 151).

12. Verify each client is working properly (see Section 3.5.2 (page 152)).

13. Enable AutoFS support (see Section 3.5.3 (page 152)).

14. Prevent unwanted users from accessing the system through LDAP (Section 3.5.4 (page 157)).

15. Configure subsequent clients, using shortcuts described in Section 3.5.5 (page 157) .

3.4.2 Tasks that must be performed to implement Kerberos support

When you use the customized installation (setup program) to install and configure LDAP-UX Client

Services, to set up Kerberos authentication support you must perform several installation and

configuration tasks documented throughout this manual. These tasks are summarized in Table 12

(page 128). You can use this table as a checklist.

Table 12 Kerberos-related tasks to perform

Section of this manualTask

Section 3.4.6.1 (page 139)Install the PAM Kerberos product

“Sample PAM configuration (pam.conf) files ” (page 420)Configure the PAM Kerberos library in the PAM

configuration file

128 Installing and configuring LDAP-UX Client Services for a Windows ADS environment